b"               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Briefing Report:\n                     Improvements Needed in EPA\xe2\x80\x99s\n                     Information Security Program\n                     Report No. 13-P-0257                    May 13, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Cheryl Reid\n                                                   Vincent Campbell\n                                                   Neven Soliman\n                                                   Albert E. Schmidt\n                                                   Rodney Allison\n                                                   Nii-Lantei Lamptey\n                                                   Kyle Denning\n\n\n\n\nAbbreviations\n\nCERT          Computer Emergency Response Team\nEPA           U.S. Environmental Protection Agency\nFDCC          Federal Desktop Core Configurations\nFISMA         Federal Information Security Management Act\nOCSPP         Office of Chemical Safety and Pollution Prevention\nOEI           Office of Environmental Information\nPOA&M         Plan of Action and Milestones\nTSCA          Toxic Substances Control Act\nUSGCB         U.S. Government Configuration Baseline\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  email:     OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                               13-P-0257\n                                                                                                           May 13, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Briefing Report: Improvements Needed in\nThe U.S. Environmental              EPA\xe2\x80\x99s Information Security Program\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\nOffice of Inspector General          What We Found\n(OIG) prepared this\nsupplemental report to              We found weaknesses in the following Agency programs regarding its\ndocument the details, and           information security program and practices:\nmake recommendations, for\nweaknesses the OIG identified           \xef\x82\xb7   Continuous monitoring management\nduring its review of the                \xef\x82\xb7   Configuration management\nAgency\xe2\x80\x99s information security           \xef\x82\xb7   Risk management\nprogram and practices. That             \xef\x82\xb7   Plan of action and milestones\nreview was conducted as\n                                        \xef\x82\xb7   Contractor systems\nrequired by the Federal\nInformation Security\n                                    This supplemental report to our previously issued report, Fiscal Year 2012\nManagement Act (FISMA),\n                                    Federal Information Security Management Act Report: Status of EPA's Computer\nwhich requires inspectors\n                                    Security Program (Report No. 13-P-0032), issued October 26, 2012, provides\ngeneral to prepare an annual\n                                    additional detailed information for the above weaknesses.\nevaluation of their agencies\xe2\x80\x99\ninformation security programs\nand practices. The Department        Recommendations and Planned Agency Corrective Actions\nof Homeland Security issued\nreporting guidelines                We recommend that the Assistant Administrator for Environmental Information\ndocumenting 11 FISMA                implement the continuous monitoring activities as specified in the Agency\xe2\x80\x99s\nreporting metrics to be             Continuous Monitoring Strategic Plan, document the remediation of\nevaluated as part of the fiscal     configuration-related vulnerabilities, and implement a strategic plan for EPA\xe2\x80\x99s risk\nyear 2012 FISMA audit.              management framework.\n\nThis report addresses the           The Agency concurred with the report\xe2\x80\x99s recommendations and provided high-\nfollowing EPA Goal or               level planned corrective actions with completion dates. The Agency needs to\nCross-Cutting Strategy:             provide a completion date for one planned corrective action and additional\n                                    information on how the EPA will verify that offices remediate identified\n \xef\x82\xb7 Strengthen EPA\xe2\x80\x99s                 weaknesses.\n   Workforce and Capabilities.       Noteworthy Achievements\n\n                                    The Office of Environmental Information has developed a strategic plan for\n                                    continuous monitoring, approved the risk management framework, and created a\nFor further information, contact\nour Office of Congressional and     Risk Executive Group tasked with developing an Agency-wide risk management\nPublic Affairs at (202) 566-2391.   strategy.\n\nThe full report is at:\nwww.epa.gov/oig/reports/2013/\n20130513-13-P-0257.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                             THE INSPECTOR GENERAL\n\n\n\n\n                                            May 13, 2013\n\nMEMORANDUM\n\nSUBJECT:      Briefing Report: Improvements Needed in EPA\xe2\x80\x99s Information Security Program\n              Report No. 13-P-0257\n\nFROM:         Arthur A. Elkins Jr.\n\nTO:\t          Malcolm D. Jackson, Assistant Administrator and Chief Information Officer\n              Office of Environmental Information\n\nThis is our report on the subject evaluation conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG has identified and corrective actions the OIG recommends. This report represents the opinion\nof the OIG and does not necessarily represent the EPA position. The Agency concurred with the\nreport\xe2\x80\x99s recommendations and provided high-level planned corrective actions with completion dates.\nHowever, the Agency needs to provide a completion date for one planned corrective action and revise\nanother planned corrective action to fully address the report\xe2\x80\x99s recommendation. Therefore, the\nresponses to those two recommendations are considered unresolved. Final determinations on matters in\nthis report will be made by EPA managers in accordance with established audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this report\nwithin 60 calendar days. You should include planned corrective actions and completion dates for all\nunresolved recommendations. Your response will be posted on the OIG\xe2\x80\x99s public website, along with our\nmemorandum commenting on your response. Your response should be provided as an Adobe PDF file\nthat complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as\namended. The final response should not contain data that you do not want to be released to the public;\nif your response contains such data, you should identify the data for redaction or removal along with\ncorresponding justification. We have no objections to the further release of this report to the public.\nWe will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann,\nActing Assistant Inspector General for Audit, at (202) 566-0565 or eyermann.rich@epa.gov; or\nRudolph M. Brevard, Director, Information Resources Management Audits, at (202) 566-0893 or\nbrevard.rudy@epa.gov.\n\x0cImprovements Needed in EPA\xe2\x80\x99s \n\nInformation Security Program\n\n\n\n\n       Results of Review\n\n\n\n\n              13-P-0257          1\n\x0cPurpose\n\nThe Federal Information Security Management Act (FISMA)\nrequires inspectors general to perform an annual evaluation of their\nagencies\xe2\x80\x99 information security programs and practices. We found\ninformation security weaknesses during our fiscal year 2012 FISMA\naudit of the U.S. Environmental Protection Agency (EPA). This\nbriefing report provides the details for the weaknesses found during\nthe FISMA audit.\n\n\n\n\n                               13-P-0257                               2\n\x0cScope and Methodology \n\nThis is a supplemental draft report based on the fiscal year 2012\nFISMA audit. We conducted the FISMA audit work at EPA\nheadquarters in Washington, D.C.; the National Computer Center,\nResearch Triangle Park, North Carolina; and all 10 regions. This\naudit was conducted from February 2012 through November 2012.\nW conducted\nWe       d     d this\n                  hi audit\n                       di iin accordance\n                                    d       with\n                                             i h generally\n                                                       ll acceptedd\ngovernment auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence\nto provid\n        ide a reasonable\n                      bl basis i for our findi\n                                            dings and\n                                                    dconc lusiions\nbased on our review objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and\nconcllusions.\n         i\n\n\n\n\n                                13-P-0257                               3\n\x0cScope and Methodology (Cont.)\n\nWe reviewed federal regulations and EPA policies and procedures.\nOur audit procedures included inquiries of appropriate personnel\n                                                       personnel,\ninspections of documents and records, and observations of EPA\xe2\x80\x99s\noperations. We also conducted limited tests of selected information\nsystem security controls.\n                controls\n\n\n\n\n                                13-P-0257                             4\n\x0cScope and Methodology (Cont.)\n\nFor fiscal year 2012, we conducted an overall assessment for the\nfollowing 11 FISMA metrics:\n    1. Continuous monitoring management\n    2. Configuration management\n    3. Identityyand access mana gement\n    4. Incident response and reporting\n    5. Risk management\n    6. Securitity traiiniing\n    7. Plan of action and milestones\n    8. Remote access manag        gement\n    9. Contingency planning\n  10. Contractor systems\n\n  11. Security capital planning\n\n  11                        planning\n\n                              13-P-0257                            5\n\x0cContinuous Monitoring \n\nManagement\nIn June 2012 EPA developed the Continuous Monitoring Strategic\nPlan. However, the Agency continues working toward implementing\nthe plan\xe2\x80\x99s continuous monitoring that includes ongoing assessments\nof security controls\n            controls.\n\n\nRecommendations\nWe recommend that the Assistant Administrator for Environmental\nInformation:\n\n1.\t Implement the continuous monitoring activities as specified in\n    the Agency\n    the\t Agency\xe2\x80\x99s\n                s Continuous Monitoring Strategic Plan.\n\n                               13-P-0257                             6\n\x0cContinuous Monitoring \n\nManagement (Cont.)\nAgency Response and OIG Evaluation\nThe Ag\n     gencyy concurs with the recommendation and provided a\nplanned corrective action, but the Agency did not provide a planned\ncompletion date. The OIG considers the Agency\xe2\x80\x99s response\nunresolved until a comppletion date has been established.\n\n\n\n\n                               13-P-0257                              7\n\x0cConfiguration Management\n\n\xef\x81\xb1   EPA is not assessing baseline compliance for EPA's firewalls,\n    routers, and Web server software.\n\n\xef\x81\xb1   EPA did not have a process for timely remediation of\n    configuration compliance scans.\n                             scans\n\n\xef\x81\xb1   EPA did not fully implement Federal Desktop Core\n    Configurations/U.S. Government Configuration Baseline\n    (FDCC/USGCB) secure configuration settings for 4 out of 15\n    workstations selected for testing.\n\n\xef\x81\xb1   EPA does not have a specified, documented timeline to correct\n    de a o s from\n    deviations o base\n                  baseline\n                         e co\n                           configurations.\n                                gu a o s\n\n                                13-P-0257                           8\n\x0cConfiguration Management (Cont.)\n\n\xef\x81\xb1   EPA did not ensure that unauthorized firewall rule modifications\n    occurred.\n    occurred\n\n\xef\x81\xb1   EPA has configuration management policies and procedures.\n    H\n    However,    tthe\n                  h proced   dures did nott provid\n                                                ide guidance\n                                                      id     as tto what\n                                                                       h t the\n                                                                           th\n    program offices and regions should classify as configuration items\n    (i.e., hardware, software, firmware) for information systems, and\n    did nott provide\n                   id a titimeline\n                               li off th\n                                      the system\xe2\x80\x99s\n                                              t \xe2\x80\x99 d development\n                                                         l     t lif\n                                                                  life cycle.\n                                                                           l\n\n\n\n\n                                     13-P-0257                                   9\n\x0cRecommendations\n\nWe recommend that the Assistant Administrator for Environmental\nInformation:\n\n2.\t Assess baseline compliance for EPA\xe2\x80\x99s firewalls, routers, and\n    Web servers software.\n\n3.\t Update the configuration management process to verify\n    program offices remediate FDCC/USGCB deviations in a timely\n    manner.\n    manner\n\n4.\t Perform regular reviews of firewall rules to ensure no\n    unauthorized changes were made.\n                                 made\n\n\n\n\n                                13-P-0257                          10\n\x0cRecommendations (Cont.)\n\n5.\t Update configuration management procedures to define what\n    the program offices and regions should classify as configuration\n    items for information systems, and define when during the\n    system development life cycle the configurable items are to be\n    placed under configuration management.\n\nAgency Response and OIG Evaluation\nThe Agency concurs with the recommendations and provided\nplanned corrective actions and completion dates, but the\nplanned action does not fully address recommendation 3. The\nplanned action does not include a verification procedure to confirm\nthat program offices actually remediate FDCC/USGCB deviations in\na timely manner.\n\n\n\n                               13-P-0257                           11\n\x0cRisk Management\n\n\xef\x81\xb1   Senior EPA officials throughout the Agency are currently not\n    briefed on:\n\n    \xef\x81\xae   Mission/business-specific risks and organizational level\n        (strategic) risks\n                    risks.\n    \xef\x81\xae   Threat activity described in U.S. Computer Emergency\n        Response Team\xe2\x80\x99s (CERT\xe2\x80\x99s) cyber-security threat reports.\n\n\xef\x81\xb1   Although the risk management framework has been approved,\n    the strategic plan needs to be implemented (e.g., the strategic\n    pllan cit\n           ites \xe2\x80\x9c\xe2\x80\x9csecurit\n                       ity conttrolls need\n                                         d tto be impllementted\n                                                              d and\n                                                                  d \n\n    verified\xe2\x80\x9d). \n\n\n\n\n                                  13-P-0257                             12\n\x0cRisk Management (Cont.)\n\xef\x81\xb1   EPA has recently approved the establishment of a Risk\n    Executive Group. However, the group needs to:\n    \xef\x81\xae   Define the core mission and business processes for the\n        organization (including any derivative or related missions and\n        business processes carried out by subordinate organizations).\n    \xef\x81\xae   Define both the types of information that the organization\n        needs in order to successfully execute the stated missions\n        and business processes and the internal and external\n        information flows.\n    \xef\x81\xae   Specify the degree of autonomy for subordinate organizations\n        (i.e., organizations within the parent organization) that the\n        parent organization permits for assessing, evaluating,\n        mitigating, accepting, and monitoring risk.\n\n                                 13-P-0257                           13\n\x0cRisk Management (Cont.)\n\n \xef\x81\xae   Specify the types and extent of risk mitigation measures the\n     organization plans to employ to address identified risks\n                                                        risks.\n \xef\x81\xae   Specify how the organization plans to monitor risk on an\n     ongoing basis given the inevitable changes to organizational\n     i f\n     information\n            ti systems\n                    t    andd th\n                              their\n                                 i environments\n                                       i      t off operation.\n                                                          ti\n \xef\x81\xae   Specify the degree and type of oversight the organization\n     plans to use to ensure that the risk manag\n     p\n                                       gement strategy\n                                                            gyis\n     being effectively carried out.\n\n\n\n\n\n                               13-P-0257                            14\n\x0cRecommendations\n\nWe recommend that the Assistant Administrator for Environmental\nInformation:\n\n6.\t Brief senior EPA officials throughout the Agency on information\n    system specific risks (tactical)\n                          (tactical), mission/business specific risks\n    and organizational level (strategic) risks, and threat activity\n    described in U.S. CERT cyber-security threat reports.\n\n7.\t Implement a strategic plan for EPA\xe2\x80\x99s risk management\n    framework.\n\n\n\n\n                                13-P-0257                           15\n\x0cRecommendations (Cont.)\n\n8. Work with the Risk Executive Group to:\n\n   a. Define the core mission and business processes for the\n      organization (including any derivative or related missions and\n      business processes carried out by subordinate\n                                             subordinate\n\n      organizations).\n\n   b. Identify the types of information that the organization needs\n      in order to successfully execute the stated missions and\n      business processes.\n   c. Specify the degree of autonomy for subordinate \n\n      organiizatitions th\n                       thatt the\n                             th parentt organiization\n                                                 ti permitits for\n\n      assessing, evaluating, mitigating, accepting, and monitoring\n      risk.\n\n\n                               13-P-0257                           16\n\x0cRecommendations (Cont.)\n\n   d. Specify the types and extent of risk mitigation measures the\n       organization plans to employ to address identified risks\n                                                          risks.\n   e.\t Specify how the organization plans to monitor risk on an\n       ongoing basis given the inevitable changes to organizational\n       information systems and their environments of operation\n                                                       operation.\n\nAgency Response and OIG Evaluation\nThe Agency concurs with the recommendations and provided\nplanned corrective action with completion dates for each\nrecommendation. The OIG concurs with the planned actions.\n\n\n\n\n                               13-P-0257                              17\n\x0cPlan of Action and Milestones\n\nEPA does not have plan of action and milestones (POA&M)\nprocedures or processes that provide assurance that the\nweaknesses identified have been corrected by the planned\nremediation.\n\n\nRecommend\n        dation\n           i\nWe recommend that the Assistant Administrator for Environmental\nInformation:\n\n9.   Implement POA&M procedures to verify that weaknesses\n     identified in POA&Ms are corrected by the planned remediation.\n\n\n\n\n                               13-P-0257                          18\n\x0cPlan of Action and Milestones \n\n(Cont.)\nAgency Response and\n                  d OIG Eval\n                        E luation\n                              i\nThe Agency concurs with the recommendation and provided a\nplanned corrective action with a completion date. The OIG\nconcurs with the planned action.\n\n\n\n\n                             13-P-0257                      19\n\x0cContractor Systems\nThe Office of Chemical Safety and Pollution Prevention (OCSPP)\ndid not complete the required annual assessment of security\ncontrols for the Toxic Substances Control Act (TSCA) Online\nsystem. As of August 2012, OCSPP had assessed only 1.35% of\nthe security controls.\n\nOCSPP personnel stated that in August 2010 they submitted a\nrequest to the Office of Environmental Information (OEI) to have the\nsystem removed from Office of Management and Budget reporting.\nOCSPP personnel stated that even though the OEI did not provide\na formal response, they were under the impression that their\nrequest was granted when advised to add tasks in the EPA\xe2\x80\x99s\nAutomated System Security Evaluation and Remediation Tracking\nsystem to close out the system.\n\n\n                               13-P-0257                           20\n\x0cContractor Systems (Cont.)\n\nOCSPP personnel stated that they have not completed an\nassessment of security controls on the system since August 2010.\nOCSPP personnel stated that in March 2012 OEI informed them\nthat the system could not be removed. OCSPP informed the OIG\nthat contractor services have been obtained to perform a risk\nassessment and  d certification\n                      ifi i and d accreditation\n                                       di i ffor the\n                                                   h system.\n\n\nRecommendation\nWe recommend that the Assistant Administrator for Environmental\nI f\nInformation:\n       ti\n\n10. Verify that OCSPP completed an assessment of security\n    controls for the TSC\n                      SCA Online\n                          O      system.\n\n                              13-P-0257                            21\n\x0cContractor Systems (Cont.)\n\nAgency Response and OIG Evaluation\n\nThe Agency concurs with the recommendation and provided a\nplanned corrective action with a completion date. The OIG\nconcurs with the planned action.\n\n\n\n\n                             13-P-0257                      22\n\x0c                             Status of Recommendations and\n                               Potential Monetary Benefits\n\n                                                                                                                             POTENTIAL MONETARY\n                                                RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                 Planned\n Rec.   Page                                                                                                    Completion   Claimed    Agreed-To\n No.     No.                         Subject                            Status1        Action Official             Date      Amount      Amount\n\n  1      6     Implement the continuous monitoring activities as          U       Assistant Administrator for\n               specified in the Agency\xe2\x80\x99s Continuous Monitoring                    Environmental Information\n               Strategic Plan.\n\n  2      10    Assess baseline compliance for EPA\xe2\x80\x99s firewalls,            O       Assistant Administrator for   09/30/2013\n               routers, and Web servers software.                                 Environmental Information\n\n  3      10    Update the configuration management process to             U       Assistant Administrator for\n               verify program offices remediate FDCC/USGCB                        Environmental Information\n               deviations in a timely manner.\n\n  4      10    Perform regular reviews of firewall rules to ensure        O       Assistant Administrator for   09/30/2013\n               no unauthorized changes were made.                                 Environmental Information\n\n  5      11    Update configuration management procedures to              O       Assistant Administrator for   06/28/2013\n               define what the program offices and regions should                 Environmental Information\n               classify as configuration items for information\n               systems, and define when during the system\n               development life cycle the configurable items are to\n               be placed under configuration management.\n\n  6      15    Brief senior EPA officials throughout the Agency on        O       Assistant Administrator for   06/30/2103\n               information system specific risks (tactical),                      Environmental Information\n               mission/business specific risks and organizational\n               level (strategic) risks, and threat activity described\n               in U.S. CERT cyber-security threat reports.\n\n  7      15    Implement a strategic plan for EPA\xe2\x80\x99s risk                  O       Assistant Administrator for   12/31/2013\n               management framework.                                              Environmental Information\n\n  8      16    Work with the Risk Executive Group to:                     O       Assistant Administrator for   12/31/2013\n                                                                                  Environmental Information\n\n         16      a. Define the core mission and business\n                    processes for the organization (including any\n                    derivative or related missions and business\n                    processes carried out by subordinate\n                    organizations).\n\n         16      b. Identify the types of information that the\n                    organization needs in order to successfully\n                    execute the stated missions and business\n                    processes.\n\n         16      c. Specify the degree of autonomy for\n                    subordinate organizations that the parent\n                    organization permits for assessing,\n                    evaluating, mitigating, accepting, and\n                    monitoring risk.\n\n         17      d. Specify the types and extent of risk mitigation\n                    measures the organization plans to employ\n                    to address identified risks.\n\n\n\n\n13-P-0257                                                                                                                                           23\n\x0c                                                                                                                            POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                           BENEFITS (in $000s)\n\n                                                                                                                Planned\n    Rec.    Page                                                                                               Completion   Claimed    Agreed-To\n    No.      No.                         Subject                       Status1        Action Official             Date      Amount      Amount\n\n              17      e. Specify how the organization plans to\n                         monitor risk on an ongoing basis given the\n                         inevitable changes to organizational\n                         information systems and their environments\n                         of operation.\n\n     9        18    Implement POA&M procedures to verify that               O    Assistant Administrator for   06/30/2013\n                    weaknesses identified in POA&Ms are corrected by             Environmental Information\n                    the planned remediation.\n\n    10        21    Verify that OCSPP personnel complete an                 O    Assistant Administrator for   09/06/2013\n                    assessment of security controls for the TSCA                 Environmental Information\n                    Online system.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n13-P-0257                                                                                                                                     24\n\x0c                                                                                    Appendix A\n\n                  Agency Response to Draft Report\n\n\n\n                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n\n                                  WASHINGTON, D.C. 20460\n\n\n                                                                          OFFICE OF\n                                                                  ENVIRONMENTAL INFORMATION\n\n                                            4/19/2013\n\n MEMORANDUM\n\n SUBJECT:\t Response to Office of Inspector General Draft Report No. OMS-FY12-0003\n           \xe2\x80\x9cBriefing Report: Improvements Needed in EPA\xe2\x80\x99s Information Security\n           Program,\xe2\x80\x9d dated March 6, 2013\n\n FROM:\t         Malcolm D. Jackson\n                Assistant Administrator and Chief Information Officer\n\n TO:\t           Arthur A. Elkins, Jr.\n                Inspector General\n\n Thank you for the opportunity to respond to the issues and recommendations in the subject\n audit report. Following is a summary of the agency\xe2\x80\x99s overall position, along with its position\n on each of the report recommendations. For those report recommendations with which the\n agency agrees, we have provided high-level intended corrective actions and estimated\n completion dates.\n\n AGENCY\xe2\x80\x99S OVERALL POSITION\n\n Senior Agency Information Security Officer Response\n The report facts are accurate with regard to the areas the Senior Agency Information Security\n Officer (SAISO) has direct insight or access to the underlying information with the following\n exceptions. Under the Risk Management section, the Office of Inspector General (OIG) did not\n define what roles are considered \xe2\x80\x98Senior EPA officials\xe2\x80\x99 nor which U.S. Computer Emergency\n Response Team\xe2\x80\x99s (CERT) cyber security threat reports are in scope for these officials. The\n assumption is that the OIG is not stating that all U.S. CERT threat reports should be briefed to\n senior officials since the majority of the reports are technical in nature and too low level to be\n useful for \xe2\x80\x98senior officials.\xe2\x80\x99 Also, the assumption is that the OIG did not intend to include\n system administrators, Information Security Officers and other such roles as senior officials to\n whom these technical, low level reports would be appropriate.\n\n\n\n13-P-0257                                                                                         25\n\x0c EPA defines \xe2\x80\x98Senior Officials\xe2\x80\x99 as the Deputy Administrator, Chief Information Officer (CIO),\n and Deputy CIO. These roles receive threat briefs at a level appropriate for senior officials\n that enable them to manage strategic risks. EPA Authorizing Officials \xe2\x80\x93 those roles accepting\n risk at the system and mission level \xe2\x80\x93 receive appropriate mission and system level risk briefs\n through the system authorization process. Information Security Officers (ISOs) periodically\n receive U.S. CERT threat briefs as well as threat briefs from the EPA CSIRC. The ISOs and\n others in EPA also have available to them daily threat reports provided by a U.S. CERT\n source provider. Given the defined scopes of senior officials and threat briefs above, the\n SAISO believes the agency is complying with recommendations 6 through 10.\n\n Office of Environmental Information, Office of Technology Operations and Planning Response\n The Office of Technology Operations and Planning (OTOP) agrees with the Office of\n Inspector General\xe2\x80\x99s (OIG) recommendations affecting resources under OTOP\xe2\x80\x99s purview and\n have provided high-level intended corrective actions and estimated completion dates for\n recommendations 1 through 5.\n\n  AGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\n Agreements\n No.     Recommendation                             High-Level Intended      Estimated\n                                                    Corrective Action(s)     Completion by\n                                                                             Quarter and FY\n 1          Implement the continuous                OTOP is responsible      TBD\n            monitoring activities as specified in   for implementing the\n            the Agency\xe2\x80\x99s Continues Strategic        Continuous\n            Plan.                                   Monitoring (CM)\n                                                    activities in the\n                                                    Agency\xe2\x80\x99s CM\n                                                    Strategic Plan. A high\n                                                    level gap analysis has\n                                                    been performed and\n                                                    OTOP management is\n                                                    reviewing the findings\n                                                    for further action to\n                                                    include task\n                                                    designation among the\n\n\n\n\n13-P-0257                                                                                      26\n\x0c 2          Assess baseline compliance for        OTOP/NCC will:             FY13 QTR 4\n            EPA\xe2\x80\x99s firewalls, routers, and web       Procure 3rd              (September 30, 2013)\n            server\xe2\x80\x99s software.                      party\n                                                    independent\n                                                    assessment to\n                                                    formally review\n                                                    baseline.\n                                                    Add NIST 800-\n                                                    53 control, CM-\n                                                    02 as point of\n                                                    emphasis during\n                                                    future risk\n                                                    assessments.\n 3          Update the configuration              OTOP/EDSD, with            FY13 QTR 4\n            management process to verify          input from the SAISO,      (September 6, 2013)\n            program offices remediate             will provide training\n            FDCC/USGCB deviations in a            and procedures for the\n            timely manner.                        Tivoli Endpoint\n                                                  Administrators to run\n                                                  compliance reports that\n                                                  will show\n                                                  FDCC/USGCB\n                                                  deviations for their\n                                                  respective program or\n                                                  regional office.\n 4          Perform regular reviews of firewall   OTOP/NCC will              FY13 QTR 4\n            rules to ensure no unauthorized       review and recommend       (September 30, 2013)\n            changes were made.                    a practical solution for\n                                                  firewall rule reviews\n                                                  and integrity\n                                                  correlations. The\n                                                  implementation\n                                                  schedule will be\n                                                  assessed and\n                                                  determined based on\n                                                  approved solution and\n                                                  resource constraints.\n 5          Update configuration management       OTOP will:                 FY13 QTR 3 (April 15,\n            procedures to define what the          Identify standard         2013)\n            program offices and regions should     guidance for\n            classify as configuration items for    identifying IT\n            information systems, and define        configuration\n            when during the system                 items based on\n            development life cycle the             best practices.\n            configurable items are to be placed\n            under configuration management.        OTOP will update          FY13 QTR 3 (June 28,\n                                                   the Configuration         2013)\n                                                   Management\n                                                   procedure.\n\n\n\n\n13-P-0257                                                                                     27\n\x0c 6          Brief senior EPA officials               The SAISO concurs    FY13 QTR 3 (June 30,\n            throughout the Agency on                 with the following   2013)\n            information system specific risks        recommendations\n            (tactical), mission/business specific    and plans to take\n            risks and organizational level           stated actions\n            (strategic) risks, and threat activity\n            described in U.S. CERT cyber-\n            security threat reports.\n 7          Implement a strategic plan for        The CIO\xe2\x80\x99s office will   FY14 QTR 1\n            EPA\xe2\x80\x99s risk management framework.      finalize and begin      (December 31, 2013)\n                                                  implementing a\n                                                  Risk Managment\n                                                  Strategic Plan by\n                                                  the end of Q1FY14\n 8          Work with the Risk Executive          The CIO\xe2\x80\x99s office will   FY14 QTR 1\n            Group to:                             finalize and begin      (December 31, 2013)\n            a. Define the core mission and        implementing a Risk\n               business processes for the         Managment Strategic\n               organization (including any        Plan by the end of\n               derivative or related missions     Q1FY14. This work\n               and business processes carried     will be accomplished\n               out by subordinate                 in the development\n               organizations).                    and implementation\n            b. Identify the types of information of the Risk\n               that the organization needs in     Management\n               order to successfully execute the Strategic Plan.\n               stated missions and business\n               processes.\n               c. Specify the degree of\n               autonomy for subordinate\n               organizations that the parent\n               organization permits for\n               assessing, evaluating, mitigating,\n               accepting, and monitoring risk.\n            d. Specify the types and extent of\n               risk mitigation measures the\n               organization plans to employ to\n               address identified risks.\n            e. Specify how the organization\n               plans to monitor risk on an\n               ongoing basis given the\n               inevitable changes to\n               organizational information\n               systems and their environments\n               of operation.\n\n\n\n\n13-P-0257                                                                                  28\n\x0c 9          Implement POA&M procedures to          The SAISO will          FY13 QTR 3 (June 30,\n            verify that weaknesses identified in   implement a Plans of    2013)\n            POA&Ms are corrected by the            Actions and\n            planned remediation.                   Milestones\n                                                   (POA&M) validation\n                                                   and monitoring\n                                                   process in Q3FY13.\n 10         Verify that OCSPP completed an         The SAISO will verify   FY13 QTR 4\n            assessment of security controls for    OCSSP has completed     (September 6, 2013)\n            the TSCA Online system.                security controls\n                                                   assessment on TSCA\n                                                   Online by the end of\n                                                   Q4FY13.\n\n\n  If you have any questions or concerns about this response, please feel free to contact\n  Tom Tracy, Acting Director of the Policy, Outreach and Communications Staff, at\n  (202) 564-6518 or Scott Dockum the OEI Audit Follow-up Coordinator at (202) 566-1914.\n\n  cc:\n        Robert McKinney\n        Anne Mangiafico\n        Brenda Young\n        Thomas Tracy\n        Scott Dockum\n\n\n\n\n13-P-0257                                                                                   29\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Technology Operations and Planning,\n       Office of Environmental Information\n\n\n\n\n13-P-0257                                                                                     30\n\x0c"